Alan Farrell (Dublin Fingal, Fine Gael)
Link to this: Individually | In context | Oireachtas source

189. To ask the Tánaiste and Minister for Justice and Equality his plans to include specific provisions in the Data Protection Bill 2017 to acknowledge a child's right to be forgotten regarding their information online; his further plans to implement measures which take into account the age at which the person posts information online with regard to decisions on the removal of a person's personal information from the Internet in order to generate stronger protections for children and young persons; and if he will make a statement on the matter. [44989/17]

Charles Flanagan (Laois, Fine Gael)
Link to this: Individually | In context | Oireachtas source

The position is that the General Data Protection Regulation (Regulation (EU) 2016/679), which will apply with effect from 25 May 2018, incorporates increased protections for the personal data of children. For the most part, this Regulation's rules are directly applicable and do not, therefore, require transposition into national law in the forthcoming Data Protection Bill.    

With regard to the "right to be forgotten" (i.e. right to erasure of personal data), Article 17 provides for the right to have personal data erased where the data are no longer required for the purpose for which they were collected or otherwise processed. It also applies where an individual data subject withdraws his or her consent to the processing of the data, and where the data subject objects to the processing and there is no overriding legitimate interest to justify continuation of the processing.

As regards children, the right additionally applies where the personal data are processed in the context of internet services. Recital 65 of the Regulation underlines the importance of the "right to be forgotten" where consent to processing was given when the data subject was a child and not, therefore, fully aware of the risks involved and later wants to remove such personal data, especially on the internet. As already stated, Article 17 is directly applicable and does not require transposition in the Data Protection Bill.

Article 8(1) of the Regulation provides, in the case of information society services offered directly to a child, that the processing of the child's personal data shall be lawful only if and to the extent that consent of the child's parent or guardian has been obtained; the applicable age threshold is 16 years or an age not below 13 years determined by national law. Article 8(2) imposes an obligation on the providers of information society services to children to make reasonable efforts to verify that the necessary consent is given, taking into consideration available technology.

In June last, following completion of consultation processes by my Department and the Government's Data Forum, the Government approved a "digital age of consent" threshold of 13 years for inclusion in the Data Protection Bill.

Supervision and enforcement of the Regulation's provisions in relation to children will be a matter for the independent Data Protection Commissioner.